One such model where policy composition makes sense could, for example, be that of multi-tenant systems, where many-potentially thousands of-users share the same instances of OPA without having access to (or even knowledge of) the policies or data owned by other tenants of the system. Lastly, just like resource and cost constraints sometimes define the design of a system, architectural decisions commonly enforce other types of constraints. While it might be possible to partition the data and distribute it among OPA instances, it could be that all instances of OPA need access to all available data, thus forcing only a few instances of OPA to serve all applications in a system. Secondly, the dataset needed for performing policy decisions could be big enough (several gigabytes) that running an instance of OPA per instance of the application-with all the data loaded into the memory-would be prohibitively expensive. While this type of policy organization is possible by dividing policy in multiple documents and having the application or service query OPA for specific documents, it requires the application to know which documents are relevant to the query, thus creating a coupling between the two. First, it helps organize policy documents in logical groups that make sense for the domain. There are a couple of reasons why this might be a good idea. Similarly we can use policy composition to determine which policy should be evaluated when a request is received. Likewise for network and storage.ĭevelopers experienced in object oriented languages might be familiar with the concept of dynamic dispatch, where an interface defines an action to be performed on some event, but the actual implementation of the action is not provided until the event actually happens. At this point OPA can look at the resource, and if it’s compute workload (a VM, container, lambda), delegate the decision to the compute team’s policy. When an end user tries to create a new resource, say on Kubernetes or a public cloud, we want OPA to decide whether the resource is safe or not. These teams might include a compute team, a storage team and a networking team.
Could we for example provide a group, team or role name as part of the input and have OPA evaluate all policies provided for that group, team or role, but no additional policies other than those? Imagine you have several teams in an organization, each of them with their own responsibilities. A question that comes up every now and then is whether it’s possible to compose policies based on dynamic attributes provided with the request when querying Open Policy Agent (OPA) for decisions.
0 kommentar(er)
